Mal/FakeAV-OY

Category: Viruses and SpywareProtection available since:25 Oct 2011 09:48:23 (GMT)
Type: Malicious behaviorLast Updated:02 Jul 2014 22:12:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Mal/FakeAV-OY is a Fake Antivirus Trojan for the Windows platform. Mal/FakeAV-OY displays fake warnings and threats when installed. See more about Fake Antivirus in this technical paper.

 

Examples of Mal/FakeAV-OY include:

Example 1

File Information

Size
433K
SHA-1
000085a9f533e992322f349df93517ef0bd477bc
MD5
29e058a396914b03dac3c763244223af
CRC-32
6a208084
File type
Windows executable
First seen
2007-08-11

Example 2

File Information

Size
788K
SHA-1
000159bcc5ce96cd8b7d18b195ed6be4fa18fb7f
MD5
5d6001142b71b6e08f92a90489d660fd
CRC-32
e7a31a1b
File type
Windows executable
First seen
2012-05-18

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\Packet.dll
  • C:\WINDOWS\system32\drivers\npf.sys
  • C:\WINDOWS\system32\wpcap.dll
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\NPF\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\NPF
    TimestampMode
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AmdAgent
    c:\test_item.exe
  • HKCU\Software\Amd
    DB3
    □I□□□□□□□□□□□□□□a□□□□□□□0□□□□□□□□0□□0□□@b□□□□□□□□□□□□□@□□ □□□P□□□□□g□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□x□□□□□ □□□□□□□□□□□□□□□□ □□ □□□^□□□□□d□□□□□□□□□□□□□p□□ □□□□□□□□□□□□□□□p□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□@b□□□□□□□□Y□□□□@□□ □□□P□□□□□g□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□x□□□□□ □□□□□□□□□□□□□□□□ □□ □□□Y□@|□@d□□□□□□□□□□□□□p□□ □□□□□□□□□□□□□□□p□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□@b□□□□□□□□□□□□□@□□ □□□P□□□□□g□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□x□□□□□ □□□□□□□□□□□□□□□□ □□ □□□□□□□□`d□□□□□□□□□□□□□p□□ □□□□□□□□□□□□□□□p□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□@b□□□□□□□□□□□□□@□□ □□□P□□□□□g□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□x□□□□□ □□□□□□□□□□□□□□□□ □□ □□□Y□□q□□d□□□□□□□□□□ [... 18675 intervening characters ...] □>□□□□□d□□□□□□□□□□□□□p□□ □□□□□□□□□□□□□□□p□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□@b□□□□□□□□□□@□□@□□ □□□P□□□□□g□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□x□□□□□ □□□□□□□□□□□□□
  • HKLM\SYSTEM\CurrentControlSet\Services\NPF\Enum
    NextInstance
    0x00000001
HTTP Requests
  • http://-$\xf7Fz\x1d\x9f\xce\x1c\xd8\x91m\x87[je\xc8\xfd\xbc\xb4\x01\xe1Ii\x03\xdd4
  • http://-%26RB\x1bz*\xee
  • http://-\b\xb4p\xc8}\xab\x92\xfd\x88P\x89\x1c\xc0\x98\x01^\x918\xfa\xe4\tA\xf4\xc9\x014
  • http://-\x02\xd0\\\xbd\xc2n\x8a\x97\xe0/\x17'\x12\xb0\xcf(\xe33t\xe4\xad7\xe8\xc8\x924
  • http://-\x10\xd4Fv~:\xea\xb6@\xadN\xf1\x1a\r\bTQ\xb5\x95g\x89:+\xcf\xd84
  • http://-\x1e\x19V9
  • http://-\x9b3\\\x91\xb6\xaf\xda~`1e*MVf\xa2\xfc\x98\xc1\xbb\xdf\x01\x83wj4
  • http://-\xa5\xf0N\x1e9N\xb2=
  • http://-\xb4~^\x0f\xa0\x9e\xae\x02\x80\x1c\x1b\x86,\xe7\xa0\x0c5\xcfy\x95Qn\xf3*e4
  • http://-\xd9\x1bt\xce\xd2[\xea+\xa8\xbc\xcbNKpC\x0e\x82\x0c@\x1d\xeb\xe8\x7f:[4
  • http://-\xdaYD\x9a\x1fj\xe2\x1dx\x0e\xfe\xef%26t\xd2\xb6S\x9cB\x8a\x8d\b\x85\x1484
  • http://-\xf1ql\xa1\x93{\xae7\xc0\xa8y\xdc\x17\x02\xb9\xb8\xb2N\xe6}Km\xcc\xfb\xbf4
  • http://-\xf89HuN\x9e\x9e38\x0f\xa5qD\xc7\x9d\xf31}\xed\xe6I\xca\xda\xcd$4
  • http://-\xfc\xd8f\x167\xef\xea\xe9
  • http://-\xffX\xe7\xe8\x9c\xa2\x7f\xc0k\xedL\xb5c\xdf\xf0\xcb\x9eF4}\r\x8dh\xab4
  • http://-\xff\xf8v\x89\xe0/\x82\xd6
  • http://-m6h\"\x9f\x9a\xcaF\xa0|\xdaU\xeb;\x84k\x0e\xe7Bx\x03\x9e\x85\xf0[4
  • http://41.99.126.56/oxXpVU2wPF.htm
IP Connections
  • 116.203.1.78:80
  • 122.205.10.79:80
  • 178.235.69.12:80
  • 182.160.61.87:80
  • 183.83.194.114:80
  • 212.79.112.212:80
  • 213.230.78.74:80
  • 220.89.81.3:80
  • 27.4.152.47:80
  • 41.102.54.55:80
  • 41.99.126.56:80
  • 42.201.221.1:80
  • 82.128.52.36:80
  • 84.240.224.137:80
  • 85.65.101.37:80
  • 87.206.97.14:80
  • 89.108.113.8:80
  • 89.146.112.55:80
  • 94.137.179.39:80
  • 95.57.112.13:80
  • 95.57.50.227:80

Example 3

File Information

Size
89K
SHA-1
000336a60dada5ab74dd596d10a359f45fddf430
MD5
e66c82e9e49ae89013ef494f754b793e
CRC-32
d0de4ed2
File type
application/x-ms-dos-executable
First seen
2012-01-20